Browse Source

Removed all textile references and correct sanitation of comments

pecesama 16 years ago
parent
commit
e268a1e22a
7 changed files with 198 additions and 183 deletions
  1. 11 1
      admin/bm.php
  2. 5 6
      admin/comments.php
  3. 1 1
      admin/index.php
  4. 3 3
      classes/comments.class.php
  5. 1 1
      classes/functions.php
  6. 0 1
      entry.php
  7. 177 170
      themes/tumblr/index.htm

+ 11 - 1
admin/bm.php View File

@@ -208,7 +208,17 @@ if ($user->isAdmin()) {
208 208
 							}
209 209
 ?>
210 210
 								<p>
211
-									<span style="color: rgb(136, 136, 136); margin-bottom: 10px; font-size: 10px;"><a href="http://hobix.com/textile/">Textile</a> <?php echo __("syntax is supported.")?></span>
211
+									<span style="color: rgb(136, 136, 136); margin-bottom: 10px; font-size: 10px;">
212
+                                    	<?php echo __("Some HTML allowed")?>:<br />
213
+										&nbsp;&nbsp;&nbsp;&nbsp;
214
+										<code>
215
+                                            &lt;strong&gt; &lt;em&gt; &lt;del&gt; &lt;ul&gt;  &lt;ol&gt;  &lt;li&gt; &lt;a&gt;
216
+                                            <br />
217
+                                            &nbsp;&nbsp;&nbsp;&nbsp;&lt;blockquote&gt;
218
+                                            &lt;code&gt; &lt;pre&gt; &lt;img&gt;
219
+										</code>
220
+										<br /><br />
221
+                                    </span>
212 222
 								</p>
213 223
 								<p>
214 224
 									<input class="btn" type="submit" name="btnAdd" value="Create post" />

+ 5 - 6
admin/comments.php View File

@@ -22,13 +22,12 @@ $isEdition = isset($_GET["edit"]);
22 22
 $commentId = ($isEdition) ? $_GET["edit"] : NULL;
23 23
 	
24 24
 if(isset($_POST["btnAdd"]))	{		
25
-	unset($_POST["btnAdd"]);
25
+	unset($_POST["btnAdd"]);	
26 26
 	
27
-	$textile = new Textile();
28
-	
29
-	$_POST["username"] = $textile->TextileThis(removeBadTags($_POST["username"]));
30
-	$_POST["email"] = $textile->TextileThis(removeBadTags($_POST["email"]));
31
-	$_POST["web"] = $textile->TextileThis(removeBadTags($_POST["web"]));
27
+	$_POST["username"] = strip_tags($_POST["username"]);
28
+	$_POST["email"] =  strip_tags($_POST["email"]);
29
+	$_POST["web"] = strip_tags($_POST["web"]);
30
+	$_POST["content"] = removeBadTags($_POST["content"], true);
32 31
 		
33 32
 	if (isset($_POST["id_comment"])) {
34 33
 		if ($isAdmin) {

+ 1 - 1
admin/index.php View File

@@ -318,7 +318,7 @@ if ($user->isAuthenticated()) {
318 318
 										<br />
319 319
 										&nbsp;&nbsp;&nbsp;&nbsp;&lt;blockquote&gt;
320 320
                                         &lt;code&gt; &lt;pre&gt; &lt;img&gt;
321
-										<code>
321
+										</code>
322 322
 										<br /><br />
323 323
                                         Bookmarklet - <a class="bookmarklet" title="<?php echo __("Drag to the Bookmarks Toolbar")?>" href="javascript:var w; setTimeout('w.focus()',100);w=window.open('<?php echo $conf->urlGelato; ?>/admin/bm.php?url='+encodeURIComponent(location.href)+'&sel='+encodeURIComponent(window.getSelection()),'bookmarklet','toolbar=0,resizable=0,status=1,width=650,height=540,dependent=yes' ); w.focus();"><?php echo __("add to gelato")?></a>
324 324
                                         <br /><br />

+ 3 - 3
classes/comments.class.php View File

@@ -28,9 +28,9 @@ class comments extends Conexion_Mysql {
28 28
 	}
29 29
 	
30 30
 	function generateCookie($fieldsArray) {
31
-		setcookie("cookie_gel_user", $fieldsArray["username"], time() + 30000000);
32
-		setcookie("cookie_gel_email", $fieldsArray["email"], time() + 30000000);
33
-		setcookie("cookie_gel_web", $fieldsArray["web"], time() + 30000000);
31
+		setcookie("cookie_gel_user", $fieldsArray["username"], time() + 30000000, "/");
32
+		setcookie("cookie_gel_email", $fieldsArray["email"], time() + 30000000, "/");
33
+		setcookie("cookie_gel_web", $fieldsArray["web"], time() + 30000000, "/");
34 34
 	}
35 35
 	
36 36
 	function isSpam($fieldsArray) {

+ 1 - 1
classes/functions.php View File

@@ -401,7 +401,7 @@ if(!defined('entry') || !entry) die('Not a valid page');
401 401
 
402 402
 	function removeBadTags($source,$secure=false) {
403 403
 		if($secure){
404
-			$validTags ='<abbr><acronym><em><i><strong><b><span>';
404
+			$validTags ='<blockquote><code><em><i><strong><b><a>';
405 405
 		} else {
406 406
 			$validTags ='<p><ol><ul><li><a><abbr><acronym><blockquote><code><pre><em><i><strong><b><del><br><span><div><img>';
407 407
 		}

+ 0 - 1
entry.php View File

@@ -56,7 +56,6 @@ if($installed) {
56 56
 }
57 57
 
58 58
 require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'configuration.class.php');
59
-require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'textile.class.php');
60 59
 require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'gelato.class.php');
61 60
 require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'templates.class.php');
62 61
 require_once(Absolute_Path.'classes'.DIRECTORY_SEPARATOR.'themes.class.php');

+ 177 - 170
themes/tumblr/index.htm View File

@@ -1,171 +1,178 @@
1
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2
-	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
4
-<head>
5
-	{Gelato_includes}
6
-    <title>{Page_Title}</title>
7
-    <!--[if IE]>
8
-        <style type="text/css">
9
-            div.post div.quote span.quote big.quote {
10
-                line-height: 40px;
11
-            }
12
-        </style>
13
-    <![endif]-->
14
-</head>
15
-<body>
16
-    <div id="container">
17
-        <a href="{URL_Tumble}/rss.php"><img src="{URL_Tumble}/themes/{Template_name}/img/rss.gif" id="rss" alt="RSS" title="RSS" /></a>
18
-
19
-        <h1><a href="{URL_Tumble}/">{Title}</a></h1>
20
-
21
-            <div id="description">
22
-                {Description}
23
-            </div>
24
-
25
-		{if {$isAuthenticated}}
26
-			<div style="padding:4px; border:solid 2px #bbb; display:inline; background-color:#ddd; position:absolute; top:3px; right:3px;">
27
-				<b>Hi, {User}.</b>&nbsp;&nbsp;
28
-				<a target="_top" href="{URL_Tumble}/admin/index.php">Add/Edit my posts</a>&nbsp;&nbsp;
29
-				<a target="_top" href="{URL_Tumble}/admin/close.php">Sign out</a>
30
-			</div>
31
-		{/if}
32
-
33
-		{if {$error}}
34
-			<div class="error">{$error}</div>
35
-		{else}
36
-			{block {$rows} as {$row}}
37
-				<div class="date">
38
-					{$row.Date_Added}
39
-				</div>
40
-				{if {$row.postType}==1}
41
-					<div class="post">
42
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
43
-
44
-						<div class="regular">
45
-							<h2><a href="{$row.Permalink}">{$row.Title}</a></h2>
46
-							{$row.Body}
47
-						</div>
48
-					</div>
49
-				{elseif {$row.postType}==2}
50
-					<div class="post">
51
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
52
-						<div class="photo">
53
-							<a {$row.Effect}><img src="{$row.PhotoURL}" alt="{$row.PhotoAlt}" /></a><br/>
54
-							<div class="caption">{$row.Caption}</div>
55
-						</div>
56
-					</div>
57
-				{elseif {$row.postType}==3}
58
-					<div class="post">
59
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
60
-						<div class="quote">
61
-							<span class="quote"><big class="quote"><a href="{$row.Permalink}">&#147;</a></big> {$row.Quote}</span>
62
-							<div class="source">&mdash; {$row.Source}</div>
63
-						</div>
64
-					</div>
65
-				{elseif {$row.postType}==4}
66
-					<div class="post">
67
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
68
-							<div class="link">
69
-								&#187; <a href="{$row.URL}">{$row.Name}</a>
70
-							<div class="description">{$row.Description}</div>
71
-						</div>
72
-					</div>
73
-				{elseif {$row.postType}==5}
74
-					<div class="post">
75
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
76
-						<div class="conversation">
77
-								...<h2><a href="{$row.Permalink}">{$row.Title}</a></h2>
78
-							{$row.Conversation}
79
-						</div>
80
-					</div>
81
-				{elseif {$row.postType}==6}
82
-					<div class="post">
83
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
84
-						<div class="video">
85
-							{$row.Video}
86
-							<div class="caption">{$row.Caption}</div>
87
-						</div>
88
-					</div>
89
-				{elseif {$row.postType}==7}
90
-					<div class="post">
91
-						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
92
-						<div class="video">
93
-							{$row.Mp3}
94
-							<div class="caption">{$row.Caption}</div>
95
-						</div>
96
-					</div>
97
-				{/if}
98
-
99
-			{if !{$id_post}}
100
-				<div class="totalComments">
101
-					<h3>Posted by {$row.User} - <a href="{$row.Permalink}#comments">( {$row.Comments_Number} ) comments</a></h3>
102
-				</div>
103
-			{/if}
104
-		{/block}
105
-
106
-		{if {$id_post}}
107
-			<div class="containerComments">
108
-				<h3 id="comments">{$row.Comments_Number} answers to &#8220;{$row.Post_Title}&#8221;</h3>
109
-				<ol class="commentlist">
110
-					{block {$comments} as {$comment}}
111
-					<li class="alt" id="comment-{$comment.Id_Comment}">
112
-						<cite>
113
-							<a href="#comment-{$comment.Id_Comment}" title="Comment permalink">#</a>&nbsp;&nbsp;
114
-							{$comment.Comment_Author} said:
115
-						</cite>
116
-						<br />
117
-						<span class="timestampComment"> at {$comment.Date}</span><br /><br />
118
-						{$comment.Comment}
119
-						<br /><br />
120
-					</li>
121
-					{/block}
122
-				</ol>
123
-			</div>
124
-
125
-			<div class="containerFormComments">
126
-			<h3 id="respond">Add your comment</h3>
127
-
128
-			<form action="{Form_Action}" method="post" name="commentForm" id="commentForm">
129
-				<p>
130
-					<label for="username">
131
-						<small>Name:</small>
132
-					</label>
133
-					<input name="username" id="username" value="{whois.User_Cookie}" size="22" tabindex="1" type="text" />
134
-				</p>
135
-				<p>
136
-					<label for="email">
137
-						<small>E-mail:</small>
138
-					</label>
139
-					<input name="email" id="email" value="{whois.Email_Cookie}" size="22" tabindex="2" type="text" />
140
-				</p>
141
-				<p>
142
-					<label for="web">
143
-						<small>Website:</small>
144
-					</label>
145
-					<input name="web" id="web" value="{whois.Web_Cookie}" size="22" tabindex="3" type="text" />
146
-				</p>
147
-				<p>
148
-					<textarea name="content" id="content" cols="100" rows="10" tabindex="4"></textarea>
149
-				</p>
150
-				<p>
151
-					<span style="color: rgb(136, 136, 136); margin-bottom: 10px; font-size: 10px;"><a href="http://hobix.com/textile/">Textile</a> syntax is supported.</span>
152
-				<p>
153
-					<input type="submit" value="Add comment" name="btnAdd" id="btnAdd" tabindex="5" />
154
-				</p>
155
-				<p>
156
-					<input name="id_post" id="id_post" value="{id_post}" type="hidden" />
157
-					<input name="comment_date" id="comment_date" value="{Date_Added}" type="hidden" />
158
-				</p>
159
-			</form>
160
-		</div>
161
-		{else}
162
-			{pagination}
163
-		{/if}
164
-	{/if}
165
-	</div>
166
-	<div id="footer">
167
-		subscribe via <a href="{URL_Tumble}/rss.php">rss</a> &nbsp;/&nbsp;
168
-		powered by <a href="http://www.gelatocms.com/">gelato cms</a>
169
-	</div>
170
-</body>
1
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2
+	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
4
+<head>
5
+	{Gelato_includes}
6
+    <title>{Page_Title}</title>
7
+    <!--[if IE]>
8
+        <style type="text/css">
9
+            div.post div.quote span.quote big.quote {
10
+                line-height: 40px;
11
+            }
12
+        </style>
13
+    <![endif]-->
14
+</head>
15
+<body>
16
+    <div id="container">
17
+        <a href="{URL_Tumble}/rss.php"><img src="{URL_Tumble}/themes/{Template_name}/img/rss.gif" id="rss" alt="RSS" title="RSS" /></a>
18
+
19
+        <h1><a href="{URL_Tumble}/">{Title}</a></h1>
20
+
21
+            <div id="description">
22
+                {Description}
23
+            </div>
24
+
25
+		{if {$isAuthenticated}}
26
+			<div style="padding:4px; border:solid 2px #bbb; display:inline; background-color:#ddd; position:absolute; top:3px; right:3px;">
27
+				<b>Hi, {User}.</b>&nbsp;&nbsp;
28
+				<a target="_top" href="{URL_Tumble}/admin/index.php">Add/Edit my posts</a>&nbsp;&nbsp;
29
+				<a target="_top" href="{URL_Tumble}/admin/close.php">Sign out</a>
30
+			</div>
31
+		{/if}
32
+
33
+		{if {$error}}
34
+			<div class="error">{$error}</div>
35
+		{else}
36
+			{block {$rows} as {$row}}
37
+				<div class="date">
38
+					{$row.Date_Added}
39
+				</div>
40
+				{if {$row.postType}==1}
41
+					<div class="post">
42
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
43
+
44
+						<div class="regular">
45
+							<h2><a href="{$row.Permalink}">{$row.Title}</a></h2>
46
+							{$row.Body}
47
+						</div>
48
+					</div>
49
+				{elseif {$row.postType}==2}
50
+					<div class="post">
51
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
52
+						<div class="photo">
53
+							<a {$row.Effect}><img src="{$row.PhotoURL}" alt="{$row.PhotoAlt}" /></a><br/>
54
+							<div class="caption">{$row.Caption}</div>
55
+						</div>
56
+					</div>
57
+				{elseif {$row.postType}==3}
58
+					<div class="post">
59
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
60
+						<div class="quote">
61
+							<span class="quote"><big class="quote"><a href="{$row.Permalink}">&#147;</a></big> {$row.Quote}</span>
62
+							<div class="source">&mdash; {$row.Source}</div>
63
+						</div>
64
+					</div>
65
+				{elseif {$row.postType}==4}
66
+					<div class="post">
67
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
68
+							<div class="link">
69
+								&#187; <a href="{$row.URL}">{$row.Name}</a>
70
+							<div class="description">{$row.Description}</div>
71
+						</div>
72
+					</div>
73
+				{elseif {$row.postType}==5}
74
+					<div class="post">
75
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
76
+						<div class="conversation">
77
+								...<h2><a href="{$row.Permalink}">{$row.Title}</a></h2>
78
+							{$row.Conversation}
79
+						</div>
80
+					</div>
81
+				{elseif {$row.postType}==6}
82
+					<div class="post">
83
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
84
+						<div class="video">
85
+							{$row.Video}
86
+							<div class="caption">{$row.Caption}</div>
87
+						</div>
88
+					</div>
89
+				{elseif {$row.postType}==7}
90
+					<div class="post">
91
+						<a href="{$row.Permalink}"><img src="{URL_Tumble}/themes/tumblr/img/link.gif" class="permalink" alt="Permalink"/></a>
92
+						<div class="video">
93
+							{$row.Mp3}
94
+							<div class="caption">{$row.Caption}</div>
95
+						</div>
96
+					</div>
97
+				{/if}
98
+
99
+			{if !{$id_post}}
100
+				<div class="totalComments">
101
+					<h3>Posted by {$row.User} - <a href="{$row.Permalink}#comments">( {$row.Comments_Number} ) comments</a></h3>
102
+				</div>
103
+			{/if}
104
+		{/block}
105
+
106
+		{if {$id_post}}
107
+			<div class="containerComments">
108
+				<h3 id="comments">{$row.Comments_Number} answers to &#8220;{$row.Post_Title}&#8221;</h3>
109
+				<ol class="commentlist">
110
+					{block {$comments} as {$comment}}
111
+					<li class="alt" id="comment-{$comment.Id_Comment}">
112
+						<cite>
113
+							<a href="#comment-{$comment.Id_Comment}" title="Comment permalink">#</a>&nbsp;&nbsp;
114
+							{$comment.Comment_Author} said:
115
+						</cite>
116
+						<br />
117
+						<span class="timestampComment"> at {$comment.Date}</span><br /><br />
118
+						{$comment.Comment}
119
+						<br /><br />
120
+					</li>
121
+					{/block}
122
+				</ol>
123
+			</div>
124
+
125
+			<div class="containerFormComments">
126
+			<h3 id="respond">Add your comment</h3>
127
+
128
+			<form action="{Form_Action}" method="post" name="commentForm" id="commentForm">
129
+				<p>
130
+					<label for="username">
131
+						<small>Name:</small>
132
+					</label>
133
+					<input name="username" id="username" value="{whois.User_Cookie}" size="22" tabindex="1" type="text" />
134
+				</p>
135
+				<p>
136
+					<label for="email">
137
+						<small>E-mail:</small>
138
+					</label>
139
+					<input name="email" id="email" value="{whois.Email_Cookie}" size="22" tabindex="2" type="text" />
140
+				</p>
141
+				<p>
142
+					<label for="web">
143
+						<small>Website:</small>
144
+					</label>
145
+					<input name="web" id="web" value="{whois.Web_Cookie}" size="22" tabindex="3" type="text" />
146
+				</p>
147
+				<p>
148
+					<textarea name="content" id="content" cols="100" rows="10" tabindex="4"></textarea>
149
+				</p>
150
+				<p>
151
+					<span style="color: rgb(136, 136, 136); margin-bottom: 10px; font-size: 10px;">
152
+                    	Some HTML allowed:<br />
153
+                        &nbsp;&nbsp;&nbsp;&nbsp;
154
+                        <code>
155
+                            &lt;blockquote&gt; &lt;code&gt; &lt;em&gt; &lt;strong&gt; &lt;a&gt;
156
+                        </code>    
157
+                	</span>
158
+                </p>
159
+		  		<p>
160
+					<input type="submit" value="Add comment" name="btnAdd" id="btnAdd" tabindex="5" />
161
+				</p>
162
+				<p>
163
+					<input name="id_post" id="id_post" value="{id_post}" type="hidden" />
164
+					<input name="comment_date" id="comment_date" value="{Date_Added}" type="hidden" />
165
+				</p>
166
+			</form>
167
+		</div>
168
+		{else}
169
+			{pagination}
170
+		{/if}
171
+	{/if}
172
+	</div>
173
+	<div id="footer">
174
+		subscribe via <a href="{URL_Tumble}/rss.php">rss</a> &nbsp;/&nbsp;
175
+		powered by <a href="http://www.gelatocms.com/">gelato cms</a>
176
+	</div>
177
+</body>
171 178
 </html>